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Network Station Receives 
Pocket with Header 



-112 



Network Station 
(e.g. ( router, switch, gateway, network 
computer having server or client logic, etc.) 

150 



( Start 100 



Obtain complete, ordered, Access Control 
List (ACL) where the order is thot 
specified by a network administrator 
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'ACL Hash-Table-Balancing 
Bit Selection Vector 
Production Process 




Hash-Table-Balancing Bit Selection Vector" 
which has one or more pointers which point 

to bit positions, within fields of packet 
headers utilized by rules of the ACL, which 
will be used to construct one or more hash 

table index values which substantially 
guarantee that a yet-to-be-constructed 
Balanced Hash Table of ACL Binary 
Comparison Trees will be 
substantially balanced 



Per-Packet Processing Engine uses' 
Hash-Toble-Balancing Bit Selection 
Vector to form a hash table index 
value from the packet header fields, 
and uses the hash table index value 
to a key into" the Balanced Hash Table 
of ABCTs; thereafter, a walk of the 
Balanced Hash Table of ABCTs is 
performed to determine the disposition 
appropriate to the received packets, 



User ACL-to-Balanced 
Hash Table of ACL Binary 
^Comparison Trees Conversion, 
Process 



Balanced Hash Table of ACL Binary 
Comparison Trees, hereinafter referred to 
as "Balanced Hash Table of ABCTs," where 
the Balanced Hash Table Encodes the ACL 
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FIG. 1A 



Walk of Balanced Hash Table of ABCTs 
results in disposition of packet in 
manner mandated by ACL 
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( Stort ) — 200 



Obtain complete, ordered, ACL of access control rules 
for network member, the obtained rules being in 
an order specified by network administrator. 
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Identify packet header fields 
utilized by ACL rules in the ACL 
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Scon each ACL Rule in the complete, ordered, ACL and construct an 
exemplar bit string, where the exemplar bit string has one field for each 
packet header field utilized at least once by any ACL rule in the ACL 
and such that no fields are duplicated within the exemplar 



—204 



For each ACL rule, construct and store a bit string modeled upon the 
exemplar bit string, where the constructed bit string for each such ACL 
rule will contain the contents of any packet header fields utilized by 
each such ACL rule and Don't Care fX") bits as the contents 
of fields not utilized by each such ACL rule 
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Specify bit length, or number of bits, of the index which wBI be utilized to 
"Key into" a yet-to-be-constructed Balanced Hosh Table of ABCTs i 208 



Using a heuristic balancing process, select a number of bit positions 
within the bit strings, constructed for and associated with each ACL rule, 
such that the number of bits selected is equal to the number of bits in 
the hash table index and such that the bit positions selected are those 
positions in which the bits utilized by the ACL rules appear relatively 
most frequently and which have mostly equal variation between 
zeros and ones; Set Hash-Table-Balancing Bit Selection Vector 
to point to the selected bit positions 
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Specify o number, equal to the number of unspecified pointers of the Hash-Table-Balancing Bit 
Selection Vector, of potential, X" columns as actual.X* Hosh-Toble-Balancing 
Bit Selection Vector Pointer Indication Columns, whose columns corresponding bit positions 

in the respective fields from which the respective Bit Strings were constructed 
will thereafter be pointed at by pointers of the Hash-Table-Bolancing Bit Selection Vector 
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Specify all potential, V or *R* columns as actual, \" Hash-Table-Balancing Bit 
Selection Vector Pointer Indication Columns, Whose columns corresponding Bit 
Positions in the respective fields from which the respective Bit Strings were constructed 
will thereafter be pointed at by pointers of the Hash-Table-Balancing Bit Selection Vector 



Substract number of actual, "K" Hash-Table-Balancing Bit Selection Vector 

Pointer Indication Columns just specified from "Number of Unspecified 
Pointers of the Hash-Toble-Balancing Bit Selection Vector" 




Yes 

342 
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Mark columns of Large Total Count Row and mark columns of Smaller Total 
Count Row which have been specified, at any point in the process, as actual "K 1 
Hash-Table-Balancing Bit Selection Vector Pointer Indication Columns as 
"No Longer Selectable/No Longer under Consideration" 
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( Start 
400 



) — - 


Obtain complete, 
ordered, ACL 




Create Hash Table having number of 
entries corresponding to the specified 
Bit Length of the Hash Table Index 
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Set " Rule Under Consideration" to be first rule in the ACL 
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Using Hash-Table-Balancing Bit Selection Vector, examine bit positions 
of the packet header fields utilized by the rule under consideration 
which are pointed at by Hash-Table-Balancing Bit Selection Vector 
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Use the bit values contained within the examined bit positions of the 

fields utilized by the rule under consideration, construct a 
Hash Table Index Value to 0 Key Into" a row of the created Hash Toble 



—409 



For the rule under consideration, examine from left to right the fields 
utilized by the rule under consideration, construct a 
Binary Comparison Tree entry for each such field utilized 
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At the hash table entry which was "Keyed Into" utilizing the Hash Table 
Index Value constructed for the rule under consideration, append the Binary 
Comparison Tree constructed for the Rule Under Consideration 
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Designate constructed table to be 
a Balanced Hash Table of ABCTs 



Set rule under consideration to 
be the next ACL rule sequentially 
appearing in the ACL 
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Does" 
rule under 
consideration make a decision" 
based on protocol field of 
packet header? 



FIG. 5 



504 — 



Insert Protocol compare node having miss and 
match branches consistent with protocol 
field of rule under consideration 



Does 
rule under 
'consideration make a decision" 
based on source port field of, 
packet header? 



Does 
rule under 
consideration moke a decision 
based on source address field of . 
packet header? 



Yes 



Insert source address compare 
node having miss and match branches 
consistent with source address 
field of rule under consideration 



Insert source port compare node 
having miss and match branches 

consistent with source port 
field of rule under consideration 



Does 
rule under 
"consideration make a decision" 
based on destination address 
field of packet 
header? 



No 
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Insert destination address compare 
node having miss and match branches 
consistent with destination address 
field of rule under consideration 



Does 
rule under 
consideration make a decision 
abased on destination port field of, 
packet header? 

[No 



Yes 



520 — 



Insert destination port compare 
node having miss and match branches 
consistent with destination port 
field of rule under consideration 



Insert stop node having miss and match 

branches consistent with final dispensation 

of rule under consideration 

I 



522 
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521 -H Insert stop node having miss and match 
branches consistent with final 
dispensation of rule under consideration 
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New compare node pointer is set to point to the leftmost node 
of the binary comparison tree for the rule under consideration; 
New compere node field type is set equal to the type of field 
utilized by the node pointed to by the new compare node pointer 
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Old compare node pointer is set to the leftmost node (or root) of 
the pre-existing binary comparison tree already present at the hash index; 
Old compare node field type is set equal to the type of field 
utilized by the node pointed at by the old compare node pointer 
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612 



Is 



new compare 
node field type the 
same as old compare node 
field type? 



New stored node pointer is set to be 
equal to the new compare node pointer 
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Old stored node pointer is set to be 
equal to old compare node pointer 
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Next new node pointer is set to point to the node at the end 

of the match branch of the node pointed to by the new 
compare node pointer (i.e., the next node on the match branch 
of the binary comparison tree for the rule under consideration) 



-616 



New compare node pointer is reset to be 
equal to the next new node pointer 
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Next old node pointer is set to point to the node at the end of the 
match branch the node pointed to by the old compare node pointer 
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Binary comparison tree is appended in its entirety at 

the hash table entry associated with the 
hash table index, with the leftmost node of binary 
comparison tree serving as root of the tree 
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Next old node pointer is set to point to the node at the end 
of the miss branch of node pointed to by the old compare 
node pointer (Le., the next node on the match branch of the 
binary comparison tree for the pre-existing tree at hash table index) 
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Old compare node value is reset to be the 
value of the next old node pointer 



FIG. 6C 
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Next old node pointer is set to point to the node 
ot the end of the miss branch of the node 
pointed to by the old compare node pointer | — 654 



Next old node pointer is set to point to the node at the 
end of the MATCH branch of old STORED node (we are 
doing this because if the field type does not match, part 
of the binary comparison tree created for the rule under 
consideration must be appended to both the miss and 
match branch of the pre-existing hash table tree since the 
ACL rule(s) encoded by the pre-existing hash table tree 
do not utilize the field type which is utilized by the binary 
tree constructed for the current rule under consideration) 
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Old compare node pointer is reset 
to equal the next old node pointer 



~7~ 

646 



The new compare node pointer is set to point to the node pointed 
at by the new stored node pointer - the reason that this pointer 
is not advanced at this method step is that now the process 
is going to append at least part of the binary rule under 
consideration to the match branch of the pre-existing 
tree where the field types did not match 



FIG. 6D 
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Old compare node pointer is reset to be 
522 — I *° ^ e nex * °' ( ' n0( k poster 
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Add tree residual, starting from the node of the binary comparison 
tree for the rule under consideration, pointed at by new compare 
node pointer, at the end of the miss branch of the old compare 

node, which is a node in the hash table tree; that is, the 
node having a value equating to a stop node is replaced with 
the remainder of the binary tree for the rule under consideration, 
where the first replacement node is that node pointed 
at by the new compare node pointer 
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Old compare node pointer is reset 
to equal the next old node pointer 
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The node on the miss branch of node pointed to by old 
compare node pointer is replaced with the node pointed at by 
new compare node pointer (i.e., the new compare node value 

is appended onto the pre-existing binary comporison tree) 
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Default deny node value is appended to the miss branch of 
the node just appended to the pre-existing hash table tree 
(he., the node pointed to by the new compare node pointer) 
as wos discussed in preceding method step 
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( Stop *y~ 630 



Add tree residual, starting from the node of the binary 
comparison tree for the rule under consideration, pointed at by 
new compare node pointer, at the end of the match branch of 
the old compare node, which is a node in the hash table tree; 
that is, the node having o value equating to a stop node is 
replaced with the remainder of the binary tree for the rule 
under consideration, where the first replacement node is that 
node pointed at by the new compare node pointer 
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Since there ore more candidates* 'P,' than number of 
unspecified pointers of bit selection vector (at this point, 
3 pointers have been special os"K,° meaning that one 
additional pointer is necessary to hove the pointers 
required to completely pobt out the 4 bit hash table 
index), repeat the rele le selection operation above 


R RR RR 

Note Since all entries in le "Smaller Total Count' Row columns, corresponding wil le 

selected row columns of le "Longer Total Count' Row, were le sue 

number (i.e., le base ten number '3) all P row columns ore redesignated os condidotes'R'. 


Since after redesignate there ore si mare candidates 
*R" than the number of unspecified pointers of bit 
selection vector, all T candidates are deemed equally good 
choices; consequentially, the number of actual, "K," bit 
sen vecior poinier iiuon coiiins, wiose 
corresponig bit positions in the respective fields from 
which the respective bit strings were constructed wl 
thereafter be pointed at by pointers of the bit selection 
vector necessary to completely point out le hash table 
index value (i.e, In the present example, one more 
polnkr is needed) may be selected at random 
from le designated "R" row columns. 


K 

Note; Select row column 34 at random. 


lere ore now specified actual, 'K,' bit selection vector 
painter indication columns, whose corresponding bit positions 
ii le respective fields from which le respective bit strings 
were constructed wi thereafter be pointed at by pointers 
of the bit selection vector equal in number to the bit 
length of le hash table index; consequently, i pointers 
of le bit selection vector, which wl be utilized to point 
to bit positions used to form a hash table index 
value which wil be used to 'key into' 


KKK 

Note: lese actual, '«,' bit selection vecior pier indication columns, whose corresponding bi positions 
ii le respective fields from which le respective bit strings were constructed w9l thereafter be pointed at by 
pointers of le bit selection vecior indicate lot le first, id, and fourth leftmost bit positions win 
le "protocol ID" field, and le fourth leftmost bit positions wii le 'destination address" 
field wil be utilized as the hash table index bits. 
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Example lowing the Construction of Bala 
Example Showing the Creation of a Binary Comparison 



cont.) 



DENY TCP 23.20.7.0 XXXX 



TCP?rngtdi — Source Addr, 
• M = 23.20.7.0 match — ^ DEN' 



t 



miss 



DEFAULT DENY 



Exampl 



litis 



positions serving os hosh key index (e.g, bit position 1 contains 
"0"; bit position 3 contains'O"; bit position 4 contoinsV; 
and bit position 34 contains!) and bid binary Comparison 
Tree Motive of this I selected ACL rule, building on any 



since 



' L*l 



since 



ition address, the miss branch of all destinatioi 
branches present must feed bad into fie source oddress 
compare instruction associated with this fifth Rule, 



TCP? match — — Dest. Addr. 
miss 

DEFAULT DENY 



miss 



— - DesL Port 

= 28 match — ^ PERMIT PACKET 



Dest. Port 
> 23 match- 



IDS 



Ir. 



i, Aoar. 



miss 



. DENY 
PACKETS 



= 23.2010 ii- 
is 

DEFAULT DENY 



PACKET 



m m 



Application No.: 09/483,1 10 
First Named Inventor: Faisal Haq 

Title: Implementing Access Control Lists Using A Balanced 

Hash Table of Access Control List Binary Comparison Trees 




Application No.: 09/483,110 
First Named Inventor: Faisal Haq 

Title: Implementing Access Control Lists Using A Balanced 

Hash Table of Access Control List Binary Comparison Trees 




Application No.: 09/483,1 10 
First Named Inventor: Faisal Haq 

Title: Implementing Access Control Lists Using A Balanced 

Hash Table of Access Control List Binary Comparison Trees 



33/33 

































Protocol 

= UDP? match — - Dest. Addr 

= 30.22.215 match — — Dest, Port 
H!!ss =11 mfl tch — DENY PACKET 
, f miss 

DEFAULT DENY if — 

DEFAULT DENY 

= 30.2Z21.X match — - PERMIT PACKET 
miss 

DEFAULT DENY 
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